Citibank has launched a service that I’ve wanted for a long time. You can now create a unique credit card number for each and every transaction that can only be used once. Perfect for those sites that want to charge you $9.95 for the first month and then rebill you every month until the second coming.

To use it you’ll need a Citibank credit card (not hard to get. They’d probably give one to my cat if I asked).

There’s a desktop client for Windows, but Mac and Linux users will have to use the web interface. You’ll need to allow popups for this to work. First login at https://www.accountonline.com/. Then you should see “Virtual Account Numbers” toward the top right of the page. Click it.

You’ll then be asked to agree to some terms and conditions. There doesn’t appear to be anything too onerous in there, just the usual verbiage designed to make more work for lawyers. If you signed up for the credit card in the first place, you’ve already agreed to worse than this.

Once you’ve agreed to the terms, a little Flash app loads in a pop up window. You’ll have to enter your username and password again. Then you can generate virtual account numbers, view the existing numbers, or look over the transaction history:

When you generate the account number, the window will show all the details you need to make a single online credit card purchase: name, account number, expiration date, and CVC code.

I’m reconfiguring my office, and moving equipment around, so I experimented by using this virtual account number to order some Liberator power strip extenders from Cyberguys, a company I’ve never shopped with before. The transaction appeared to go through without a hitch. The order status currently shows “Awaiting CC Auth” though. We’ll see if it arrives.

It occurred to me that I really ought to try buying two things to see if this really works like it’s supposed to, so next I went to ThinkGeek and bought a PowerSquid using the same virtual account number. Wait a minute. That wasn’t supposed to happen! The number was supposed to be good for one time use only!

My guess is that ThinkGeek isn’t actually waiting to authorize the payment before showing me the confirmation screen. Either that, or Cyberguys didn’t authorize their payment fast enough and ThinkGeek got their first. (Luckily I need a PowerSquid too.)

OK. Cyberguys just e-mailed me to tell me “We have been unable to obtain an authorization for the credit card number used for this purchase.” ThinkGeek still shows their order as Processing. I’m guessing ThinkGeek’s credit card authorization runs a little faster than Cyberguys, so they logged the sale even though I ordered from Cyberguys first.

Of course, I probably shouldn’t have used the number for two stores in the first place. However this does point up a security hole. An attacker who grabs the credit card number might still be able to use it before it’s used for its intended purpose. The virtual account number reduces the window of vulnerability, but doesn’t close it completely.

The whole process is too complicated to use routinely. Possibly the standalone Windows program is simpler. For sites I shop at regularly like Amazon and Fresh-Direct, I’ll just continue to use my real credit card number. However, for sites I may only shop at once, and where I’m not sure if I fully trust them, as well as for sites that want to bill me monthly even if I only need to use it once, this makes a lot of sense. I hope other credit card companies will follow suit.

Citibank does let you specify dollar and time limits, it’s just that the user interface is hidden.

The first screen you get when you click “Generate Virtual Account Number” is just a screen that says “Generate Virtual Account Number” and has OK and Back buttons. This looks like a useless screen.

But, at the bottom of the screen, in dark blue on slightly lighter blue text, is a link “Advanced Options”. If you click that, then you can choose from two options:
– Generate an account with a $ limit
– Generate an account with a $ limit and a time limit.

The user interface is pretty circuitous, but I guess they think most people don’t want to use that part.

For me, I prefer MBNAs interface where they just always ask you for the limits.

Hello! This is Hendrik from Germany. I just read your article and itÂ´s nice. I have a question because here in Germany there is no bank offering this kind of service. Is it possible to apply as a German for an account with any US bank which offers this service? DoesnÂ´t matter which bank. Please let me know if there is any.

Not sure if anyone will find this or care, but I use a Macintosh computer. Citicard has two versions of the virtual account number software. A standalone application for Windows only, and a web-based version for both Windows and Mac users. The process for starting up the web-app on my Mac required me to logon to Citibank, go to the virtual account area, answer all the prompts for the web-based version, launch it, log on again, etc.

But there are two simpler methods. First, if you bookmark the web-based app’s URL, you will just be able to click that and go right there. Second, if you want a standalone application “feel” then you can look at Fluid (Mac only). Fluid lets you build an application on the Mac that is a “site specific browser” meaning that running the app will open a browser window and go to the virtual link you set for the app (i.e. use the URL from the first method). Now I have an app I can run anytime. Fluid can be found at http://fluidapp.com/

Also, I noticed some discussion thread questions on this topic. Citi *does* let you set an amount or time limit on a virtual account number — but you have to access it via the “Advanced Options” link which on my system required me to scroll down to the bottom of the web page to see it. I still wish they would provide a real “one-time use” card, but setting the dollar amount to just above the amount you’re charging basically accomplishes the same thing.